Security researchers issued a warning about six unique XSS vulnerabilities discovered in Elementor Website Builder and its Pro version that may allow attackers to inject malicious scripts.
Elementor website builder
Elementor is a leading website building platform with over 5 million active installations worldwide, with the official WordPress repository claiming to power over 16 million websites worldwide. The drag-and-drop interface allows anyone to quickly create professional websites, while the Pro version extends the platform with additional widgets and advanced e-commerce capabilities.
This popularity has also made Elementor a popular target for hackers, which makes these six vulnerabilities particularly concerning.
Six XSS Vulnerabilities
Elementor Website Builder and the Pro version contain six different Cross-Site Scripting (XSS) vulnerabilities. Five of the vulnerabilities are due to insufficient ingress sanitization and one egress exit, while one is due to insufficient ingress sanitization.
Input sanitization is a standard coding practice used to protect areas of a plugin that allow users to enter data into a form field or upload media. The sanitization process blocks any input that does not conform to what is expected. A properly secure input for text data should block scripts or HTML, which is what input sanitization does.
Output escaping is the process of securing what the plugin sends to the browser to prevent it from exposing a site visitor’s browser to untrusted scripts.
The official handbook for WordPress developers recommended for entry disinfection:
“Input sanitization is the process of securing/cleaning/filtering input data.”
It is important to note that the six vulnerabilities are distinct and completely unrelated to each other and arise specifically from insufficient security on the Elementor side. One of them, CVE-2024-2120, may affect both the free and pro versions. I contacted Wordfence for clarification and will update this article accordingly after receiving a response.
List of six Elementor vulnerabilities
Below is a list of the six vulnerabilities and the versions they affect. All six vulnerabilities are classified as medium security threats. The first two in the list apply to Elementor Website Builder and the next four apply to the Pro version. The CVE number is a reference to the official Common Exposures and Vulnerabilities database entry that serves as a reference for known vulnerabilities.
Elementor Website Builder (CVE-2024-2117)
Affects up to and including 3.20.2: DOM-based stored cross-string sequence authenticated via route widget
Elementor Website Builder Pro (and maybe free) (CVE-2024-2120)
Affects up to and including 3.20.1: Stored cross-site sequence sequence authenticated by back navigation
Elementor Website Builder Pro (CVE-2024-1521)
Affects up to and including 3.20.1: Stored cross-site script authenticated by uploading form widget SVGZ files
This vulnerability only affects servers running NGINX-based servers. Servers running Apache HTTP Server are not affected.
Elementor Website Builder Pro (CVE-2024-2121)
Affects up to and including 3.20.1: Stored cross-site sequencer authenticated using media carousel widget
Elementor Website Builder Pro (CVE-2024-1364)
Affects up to and including 3.20.1: Stored cross-site script authenticated using custom widget ID
Elementor Website Builder Pro (CVE-2024-2781)
Affects up to and including 3.20.1: DOM-based stored cross script authenticated via video_html_tag
All six vulnerabilities are classified as medium security threats and require a contributor level of permission to run.
Elementor Website Builder changelog
According to Wordfence, there are two vulnerabilities affecting the free version of Elementor. But the changelog shows that there is only one solution.
Issues affecting the free version are in Path Widget and Post Navigation Widget.
But the changelog for the free version It only lists a patch for the Text Path widget and not for the post navigation:
“Security Fix: Improved enforcement of code security in text path widget”
The post navigation widget is a navigation feature that allows site visitors to navigate to the previous or next post in a series of posts.
So even though it is missing from the changelog, it is included in the file Elementor Pro changelog which shows that it is fixed in this version:
“Security Fix: Improved Code Security Enforcement in the Media Carousel Widget Security Fix: Improved Code Security Enforcement in the Form Widget Security Fix: Improved Code Security Enforcement in the Post Navigation Widget Fix Security Fix: Applying improved code security to the Gallery widget Security Fix: Applying improved code security to the Video Playlist widget”
The missing entry in the free changelog may be a Wordfence misprint because the official Wordfence notice for CVE-2024-2120 shows an entry for “software slug” as elementor-pro.
Recommended course of action
Users of both versions of Elementor Website Builder are advised to update their plugin to the latest version. Although execution of the vulnerability requires an attacker to acquire contributor-level permission credentials, it is still within the realm of possibility, especially if contributors do not have strong passwords.
Read the official Wordfence notices:
Featured image by Shutterstock/hugolacasse
